- 1.1 The Influence of Process Improvement and Capability Maturity Models
- 1.2 The Evolution of CERT-RMM
- 1.3 CERT-RMM and CMMI Models
- 1.4 Why CERT-RMM Is Not a Capability Maturity Model
1.4 Why CERT-RMM Is Not a Capability Maturity Model
The development of maturity models in the security, continuity, IT operations, and resilience space is increasing dramatically. This is not surprising, since models like CMMI have proven their ability to transform the way that organizations and industries work. Unfortunately, not all maturity models contain the rigor of models like CMMI, nor do they accurately deploy many of the maturity model constructs used successfully by CMMI. It is important to have some basic knowledge about the construction of maturity models in order to understand what differentiates CERT-RMM and why the differences ultimately matter.
In its simplest form, a maturity model is an organized way to convey a path of experience, wisdom, perfection, or acculturation. The subject of a maturity model can be an object or things, ways of doing something, characteristics of something, practices, or processes. For example, a simple maturity model could define a path of successively improved tools for doing math: using fingers, using an abacus, using an adding machine, using a slide rule, using a computer, or using a hand-held calculator. Thus, a hand-held calculator may be viewed as a more mature tool than a slide rule.
A capability maturity model (in the likeness of CMMI) is a much more complex instrument, with several distinguishing features. One of these features is that the maturity dimension in the model is a characterization of the maturity of processes. Thus, what is conveyed in a capability maturity model is the degree to which processes are institutionalized and the degree to which the organization demonstrates process maturity.
As you will learn in Chapter 5, these concepts correlate to the description of the "levels" in CMMI. For example, at the "defined" level, the characteristics of a defined process (governed, staffed with trained personnel, measured, etc.) are applied to a software or systems engineering process. Likewise for the "managed" level, where the characteristics of a managed process are applied to software or systems engineering processes. Unfortunately, many so-called maturity models that claim to be based on CMMI attempt to use CMMI maturity level descriptions yet do not have a process orientation.
Another feature of CMMI—as implied by its name—is that there are really two maturity dimensions in the model. The capability dimension describes the degree to which a process has been institutionalized. Institutionalized processes are more likely to be retained during times of stress. They apply to an individual process area, such as incident management and control. On the other hand, the maturity dimension is described in maturity levels, which define levels of organizational maturity that are achieved through raising the capability of a set of process areas in a manner prescribed by the model.
From the start, the focus in developing CERT-RMM was to describe operational resilience management from a process perspective, which would allow for the application of process improvement tools and techniques and provide a foundational platform for better and more sophisticated measurement methodologies and techniques. The ultimate goal in CERT-RMM is to ensure that operational resilience processes produce intended results (such as improved ability to manage incidents or an accurate asset inventory), and as the processes are improved, so are the results and the benefits to the organization. Because CERT-RMM is a process-focused model at its core, it was perfectly suited for the application of CMMI's capability dimension. Thus, the model contained in this book constitutes a maturity model that has a capability dimension. However, this is not the same as a capability maturity model, since CERT-RMM does not yet provide an organizational expression of maturity. Describing organizational maturity for managing operational resilience by defining a prescriptive path through the model (i.e., by providing an order by which process areas should be addressed) requires additional study and research, and all indications from early model use, benchmarking, and piloting are that a capability maturity model for operational resilience management founded on CERT-RMM is achievable in the future.